b'UNITED STATES GOVERNMENT\nNational Labor Relations Board\nOffice of Inspector General\n\n\n\n\n               Cloud Computing\n\n             Report No. OIG-AMR-74-14-03\n\n\n\n\n                                    September 11, 2014\n\x0c                                             CONTENTS\n\nEXECUTIVE SUMMARY ............................................................................ 1\n\nBACKGROUND.......................................................................................... 2\n\nOBJECTIVE, SCOPE, AND METHODOLOGY ............................................... 2\n\nCIGIE CLOUD COMPUTING TEMPLATE ..................................................... 5\n\nFINDINGS ............................................................................................... 19\n\n     Best Practices for Cloud Computing ................................................. 19\n     Recommendation ............................................................................. 20\n     Limitations on Services ................................................................... 20\n     Recommendation ............................................................................. 21\n     FAR Clauses ..................................................................................... 21\n     Recommendation ............................................................................. 22\n     Compliance with FedRAMP............................................................... 22\n     Recommendation ............................................................................. 23\n\nAPPENDIX\n\n     Memorandum from the Chief Financial Officer and the Chief Information\n     Officer, Response to Audit of the National Labor Relations Board Cloud\n     Computing Report No. OIG-AMR-74-XX-XXX, dated September 8, 2014\n\x0cNational Labor Relations Board\nOffice of Inspector General\n\nEXECUTIVE SUMMARY\n\nCloud computing offers a unique opportunity for the Federal Government to\ntake advantage of cutting edge information technologies to dramatically reduce\nprocurement and operating costs and greatly increase the efficiency and\neffectiveness of services. That opportunity, however, brings with it challenges\nand vulnerabilities.\n\nThis audit evaluates the Agency\xe2\x80\x99s efforts to adopt cloud computing technologies\nand review contracts for cloud services for compliance with applicable\nstandards. We conducted this audit in conjunction with a Governmentwide\ninitiative by the Council of the Inspectors General on Integrity and Efficiency.\nWe compiled results of our audit into a Governmentwide report.\n\nWe generally found that the Agency is using and monitoring its cloud\ncomputing services. We also noted areas where the acquisition and\nimplementation processes would benefit from additional procedures.\n\nThe Chief Financial Officer and the Chief Information Officer provided\ncomments on the draft report. They stated that they concurred with the\nreport\xe2\x80\x99s recommendations and that the Agency is committed to acting upon\nthem. The comments also noted that the Acquisitions Management Branch\nhas designated Contracting Officers for information technology and cloud\ncomputing procurements and those individuals were the only representatives\nfrom the acquisitions career field at the Federal Mobile and Cloud Computing\nSummit in June 2014. The comments provided examples of actions that the\nAgency has taken to use cloud computing to maximize capacity utilization;\nimprove flexibility and responsiveness; and minimize cost.\n\x0cBACKGROUND\n\n             The National Institute of Standards and Technology (NIST)\n             defines cloud computing as a model for on-demand network\n             access to shared computing resources. Cloud computing\n             presents the Federal Government with an opportunity to\n             transform its Information Technology (IT) portfolio by giving\n             agencies the opportunity to focus on paying for IT services\n             consumed rather than buying IT capacity. As a result, cloud\n             computing helps the Government increase operational\n             efficiencies, resource utilization, and innovation across its IT\n             portfolio and delivers a higher return on investment to the\n             taxpayer. Because of this potential, the U.S. Chief\n             Information Officer instituted a \xe2\x80\x9cCloud First\xe2\x80\x9d policy, which is\n             intended to accelerate the pace at which the Government will\n             realize the value of cloud computing by requiring agencies to\n             evaluate safe, secure cloud computing options before making\n             any new investments.\n\n             Despite the potential benefits, cloud services also have\n             potential vulnerabilities. The vulnerabilities include the\n             complexity of a cloud computing environment, dependency\n             on the cloud service provider to maintain separation of an\n             agency\xe2\x80\x99s data, and the need to retain appropriate control.\n\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\n             This audit\xe2\x80\x99s objectives were to evaluate the Agency\xe2\x80\x99s efforts\n             to adopt cloud computing technologies and review contracts\n             for cloud services for compliance with applicable standards.\n             The audit scope was cloud computing services that the\n             Agency used through February 2014.\n\n             We interviewed staff in the Office of the Chief Information\n             Officer (OCIO) and the Acquisitions Management Branch\n             (AMB) regarding the Agency\xe2\x80\x99s processes for acquiring and\n             managing cloud computing services. We reviewed the\n             Federal Acquisition Regulation (FAR) and Governmentwide\n             guidance on cloud computing systems issued by NIST and\n             the Office of Management and Budget (OMB). We also\n             reviewed guidance jointly published by the Chief Information\n             Officers Council (CIO Council) and the Chief Acquisition\n             Officers Council (CAO Council) regarding best practices for\n             acquiring cloud computing services.\n\n\n                                  2\n\x0cWe obtained a listing of the Agency\xe2\x80\x99s cloud computing\nsystems from the OCIO. From that listing, we selected a\njudgmental sample of the systems with the four largest\ncontract values and obtained the contract files from AMB\nand other documentation related to the cloud computing\nsystems from the OCIO.\n\nFor each system in the sample, we reviewed the contract files\nto determine whether:\n\n\xe2\x80\xa2   The contracts with cloud service providers clearly define\n    the roles and responsibilities of the Agency, cloud service\n    provider, and, if applicable, system integrators;\n\n\xe2\x80\xa2   The contracts with cloud service providers contain service\n    level agreements that define performance with clear terms\n    and definitions, demonstrate how performance is being\n    measured, and what enforcement mechanisms are in\n    place to ensure the service level agreements are met;\n\n\xe2\x80\xa2   The contracts with cloud service providers contain\n    recommended language for allowing Agency personnel\n    access to a cloud service provider\xe2\x80\x99s facilities to perform\n    audit and investigative activities as needed;\n\n\xe2\x80\xa2   The Agency monitors its cloud computing providers and\n    integrators to ensure that service level obligations are\n    met;\n\n\xe2\x80\xa2   The Agency centrally manages contracts with cloud\n    service providers to fully recognize all applicable pricing\n    discounts; and\n\n\xe2\x80\xa2   The Agency\xe2\x80\x99s cloud service providers are compliant with\n    the Federal Risk and Authorization Management Program\n    (FedRAMP).\n\nThis audit was conducted in conjunction with a\nGovernmentwide initiative by the Council of the Inspectors\nGeneral on Integrity and Efficiency (CIGIE). To perform the\naudit, we completed the CIGIE-provided template\nquestionnaire. The audit results were consolidated with the\nresponses of other Federal agencies as a part of a CIGIE\nreport.\n\n\n\n                      3\n\x0cWe conducted this performance audit in accordance with\ngenerally accepted government auditing standards during\nthe period February 2014 through June 2014. Those\nstandards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on\nour audit objectives. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions\nbased on our audit objectives.\n\n\n\n\n  [CONTINUED ON FOLLOWING PAGE]\n\n\n\n\n                    4\n\x0cCIGIE CLOUD COMPUTING TEMPLATE\n\n                                 Amazon Web\nQuestion                          Services    DiscoverText       Office 365   ServiceNow\n1.1   Date the Agency\'s\n      Inspector General\n      Contact received the\n      completed CIGIE Cloud                       February 27, 2014\n      Computing Survey from\n      the Agency.\n\n1.2   If the Agency did not\n      return a completed\n      survey - please provide\n      a reason why in the\n      response field. (i.e.\n      Agency was not able to                        Not Applicable\n      provide because it did\n      not have any cloud\n      systems in its\n      inventory.)\n\n2.1   How many total cloud\n      IT services were\n      identified from the                                    6\n      survey?\n\n2.2   How many unique cloud\n      service providers were\n      identified from the                                    6\n      survey?\n\n3.1   Did the Cloud contract\n      include Terms of Service\n      clauses?                      No            No                No           Yes\n\n\n\n\n                                                    5\n\x0c                                  Amazon Web\nQuestion                           Services    DiscoverText   Office 365   ServiceNow\n3.1a   If not, did the\n       Department/Agency\n       sign a Terms of Service\n       agreement with the            Yes           No            No          N/A\n       cloud service provider?\n\n3.2    If the Terms of Service\n       clauses were not\n       directly within the\n       contract, but referenced\n       within the contract,\n       were the Terms of             No           N/A           N/A          N/A\n       Service clauses\n       negotiated and agreed\n       to prior the contract\n       being awarded?\n\n3.3    Is there a\n       Departmental/Agency\n       official assigned to\n       monitor the cloud\n       service provider\xe2\x80\x99s            Yes           Yes          Yes           Yes\n       compliance with the\n       Terms of Service?\n\n3.4    Is there a\n       Departmental/Agency\n       official assigned to\n       monitor the Agency\'s          Yes           Yes          Yes           Yes\n       compliance with the\n       Terms of Service?\n\n\n\n\n                                                     6\n\x0c                                   Amazon Web\nQuestion                            Services    DiscoverText   Office 365   ServiceNow\n3.5    Do the Terms of Service\n       clauses or the Cloud\n       contract address\n       timeframes that the\n       cloud service provider\n       will need to follow in         No            No            No           No\n       order to comply with\n       Federal agency rules\n       and regulations?\n\n3.6    Did the cloud service\n       provider sign a non-\n       disclosure agreement\n       with the Department /\n       Agency in order to\n       protect non-public\n       information that is\n       procurement-sensitive,         No            No            No           No\n       or affects pre-decisional\n       policy, physical\n       security, or other\n       information deemed\n       important to protect?\n\n3.6a   If so, does the non-\n       disclosure agreement\n       establish rules of\n       behavior for the cloud\n       service provider and a        N/A           N/A           N/A          N/A\n       method to monitor end-\n       users activities in the\n       cloud environment?\n\n\n\n\n                                                      7\n\x0c                                  Amazon Web\nQuestion                           Services    DiscoverText   Office 365   ServiceNow\n3.6b   If so, is there a\n       Departmental/Agency\n       official assigned to\n       monitor the cloud\n       service provider\xe2\x80\x99s           N/A           N/A           N/A          N/A.\n       compliance with the\n       non-disclosure\n       agreement?\n\n4.1    Does the Agency have\n       an executed Service\n       Level Agreement with\n       the cloud service\n       provider, either as part      Yes           No            No           Yes\n       of the contract, or as a\n       stand-alone document?\n\n4.2    Does the executed\n       Service Level Agreement\n       for the cloud service\n       specify required uptime       Yes          N/A           N/A           Yes\n       percentages?\n\n4.3    Does the executed\n       Service Level Agreement\n       for the cloud service\n       describe how the              Yes          N/A           N/A           Yes\n       uptime percentage is\n       calculated?\n\n\n\n\n                                                     8\n\x0c                                  Amazon Web\nQuestion                           Services    DiscoverText   Office 365   ServiceNow\n4.4   Does the executed\n      Service Level Agreement\n      detail remedies to be\n      paid by the cloud\n      service provider to the        Yes          N/A           N/A           Yes\n      Agency if the uptime\n      requirements are not\n      met?\n\n4.5   Has the\n      Department/Agency\n      assigned someone to\n      monitor the actual\n      uptime, compare it to\n      the percentage included        Yes          N/A           N/A           Yes\n      in the executed Service\n      Level Agreement, and\n      pursue service credits if\n      applicable?\n\n4.6   Has the\n      Department/Agency\n      realized any service\n      credits due to uptime          Yes          N/A           N/A          N/A\n      failures?\n\n4.7   Does the executed\n      Service Level Agreement\n      detail data preservation       Yes          N/A           N/A           Yes\n      responsibilities?\n\n4.8   Does the executed\n      Service Level Agreement\n      address scheduled              No           N/A           N/A           Yes\n      service outages?\n\n\n\n\n                                                     9\n\x0c                                  Amazon Web\nQuestion                           Services    DiscoverText   Office 365   ServiceNow\n4.9    Does the executed\n       Service Level Agreement\n       require a service outage\n       to be announced in\n       advance in order not to       No           N/A           N/A           Yes\n       be considered a failure\n       to meet uptime\n       requirements?\n\n4.10   Does the executed\n       Service Level Agreement\n       address Service               Yes          N/A           N/A           Yes\n       Agreement Changes?\n\n4.11   If the cloud service\n       provider reserves the\n       right to modify the\n       terms of the service\n       agreement at any time,\n       does the executed\n       Service Level Agreement       Yes          N/A           N/A           No\n       require the cloud\n       service provider to\n       provide notice of the\n       changes to the Agency?\n\n\n\n\n                                                    10\n\x0c                                   Amazon Web\nQuestion                            Services    DiscoverText   Office 365   ServiceNow\n5.1   Does the Cloud\n      contract, Service Level\n      Agreement, or Terms of\n      Service agreement,\n      contain FAR clause\n      52.239-1, allowing the\n      Agency access to the\n      cloud service provider \'s       Yes           No           Yes           Yes\n      facilities, installations,\n      technical capabilities,\n      operations,\n      documentation, records,\n      and databases?\n\n5.2   Does the Cloud\n      contract, Service Level\n      Agreement, or Terms of\n      Service allow agencies\n      to conduct forensic\n      investigations for both\n      criminal and non-               No            No           Yes           No\n      criminal purposes\n      without interference\n      from the cloud service\n      provider?\n\n\n\n\n                                                     11\n\x0c                                 Amazon Web\nQuestion                          Services    DiscoverText   Office 365   ServiceNow\n5.3   Does the Cloud\n      contract, Service Level\n      Agreement, or Terms of\n      Service allow the cloud\n      service provider to only\n      make changes to the\n      cloud environment\n      under specific standard       No            No           Yes           No\n      operating procedures\n      agreed to by the cloud\n      service provider and the\n      Federal agency in the\n      contract?\n\n5.4   Does the Cloud\n      contract, Service Level\n      Agreement, or Terms of\n      Service include FAR\n      clause 52.203-13,\n      requiring contractors\n      fully cooperate by\n      disclosing sufficient\n      information for law\n      enforcement to identify\n      the nature and extent of      Yes           No           Yes           Yes\n      the offense as well as\n      providing timely\n      response to Government\n      auditors\' and\n      investigators\' requests\n      for documents and\n      access to employees\n      with information?\n\n\n\n\n                                                   12\n\x0c                                 Amazon Web\nQuestion                          Services    DiscoverText   Office 365   ServiceNow\n5.5   Does the Cloud\n      contract, Service Level\n      Agreement, or Terms of\n      Service address\n      procedures for                Yes           No           Yes           No\n      electronic discovery\n      when conducting a\n      criminal investigation?\n\n5.6   Does the Cloud\n      contract, Service Level\n      Agreement, or Terms of\n      Service agreement,\n      contain FAR clause\n      52.215-2, granting the\n      Inspector General\n      access to (i) Examine\n      any of the Contractor\xe2\x80\x99s\n      or any subcontractor\xe2\x80\x99s\n      records that pertain to       Yes           No            No           Yes\n      and involve\n      transactions relating to\n      this contract or a\n      subcontract hereunder;\n      and (ii) Interview any\n      officer or employee\n      regarding such\n      transactions?\n\n\n\n\n                                                   13\n\x0c                                   Amazon Web\nQuestion                            Services    DiscoverText   Office 365   ServiceNow\n5.7   Does the Cloud\n      contract, Service Level\n      Agreement, or Terms of\n      Service include\n      language allowing the\n      Office of Inspector\n      General full and free\n      access to the\n      Contractor\'s (and\n      subcontractor\'s)\n      facilities, installations,\n      operations,                     No            No           Yes           No\n      documentation,\n      databases, and\n      personnel used in\n      performance of the\n      contract in order to\n      conduct audits,\n      inspections,\n      investigations, or other\n      reviews?\n\n6.1   Has the Agency\n      designated a person\n      responsible for\n      monitoring the cloud\n      service provider and/or         Yes           Yes          Yes           Yes\n      the system integrator to\n      verify that contractual\n      obligations are met?\n\n6.2   Does the Agency\n      monitor its cloud\n      service providers to\n      ensure its service level        Yes           Yes          Yes           Yes\n      obligations are met?\n\n\n\n\n                                                     14\n\x0c                                   Amazon Web\nQuestion                            Services    DiscoverText         Office 365   ServiceNow\n6.3    Does the Agency\n       monitor its system\n       integrator, if different\n       from the cloud service\n       provider, to ensure its        Yes          N/A                 N/A          N/A\n       service level obligations\n       are met?\n\n7.1    Does the\n       Department/Agency\n       have an office or group\n       that centrally manages\n       cloud service contracts                                 No\n       to recognize applicable\n       pricing discounts?\n\n7.1a   If so, was this\n       office/group utilized to\n       procure all cloud                                       N/A\n       services sampled?\n\n7.2    Were any pricing\n       discounts realized on\n       the cloud services             No            Yes                 No           No\n       procured?\n\n7.2a   If so, document the\n       amount of savings\n       identified into the           N/A         $31,604               N/A          N/A\n       response field.\n\n7.3    Was a Blanket Purchase\n       Agreement used to\n       procure this cloud             No            No                  No           No\n       service?\n\n\n\n\n                                                     15\n\x0c                                   Amazon Web\nQuestion                            Services        DiscoverText   Office 365   ServiceNow\n7.4    Was a GSA Cloud\n       Blanket Purchase\n       Agreement used to\n       procure this cloud               No              No            No           No\n       service?\n\n7.5    Was the GSA IT 70\n       Federal Supply\n       Schedule used to\n       procure this cloud              Yes              No            No           Yes\n       service?\n\n7.6    Was a cost savings\n       analysis performed on\n       the use of the cloud            Yes              No            Yes          No\n       service?\n\n7.6a   If so, document the\n       amount of savings\n                                     $500,000\n       identified into the\n                                   (over 6 years)      N/A         $1,000,000     N/A\n       response field.\n\n8.1    Is the cloud service\n       FedRAMP Compliant?              Yes              No            Yes          No\n8.1a   If not, has the Agency or\n       the cloud service\n       provider applied to\n       FedRAMP to initiate the         N/A              No           N/A           Yes\n       assessment review?\n\n\n\n\n                                                         16\n\x0c                                  Amazon Web\nQuestion                           Services    DiscoverText   Office 365    ServiceNow\n8.1b   If not, has the cloud\n       service provider\n       documented its\n       FedRAMP implemented          N/A            No           N/A            Yes\n       security controls in its\n       System Security Plan?\n\n8.1c   If not, has the cloud\n       service undergone an\n       independent\n       assessment completed\n       by a FedRAMP approved\n       Third Party Assessment\n       Organization (3PAO)?         N/A            No           N/A            No\n       (Verify if the vendor is\n       included on the\n       "FedRAMP Compliant\n       3PAO" list, included in\n       the criteria links.)\n\n8.1d   Specify assessment\n       organization in\n       response field.              N/A           N/A           N/A        Veris Group\n8.2    Has the cloud service\n       provider received a\n       Provisional\n       Authorization from the       N/A            No           Yes            No\n       Joint Authorization\n       Board?\n\n\n\n\n                                                    17\n\x0c                                  Amazon Web\nQuestion                           Services    DiscoverText   Office 365   ServiceNow\n8.3    Did the Agency leverage,\n       or does it plan on\n       leveraging, a pre-\n       existing Provisional\n       Authorization from a          Yes           No           Yes           Yes\n       FedRAMP approved\n       cloud service provider?\n\n8.3a   If so, did the Agency\n       separately address a\n       subset of security\n       controls with the cloud\n       service provider that\n       was not documented in         No           N/A            No           No\n       the Provisional\n       Authorization originally\n       granted by the Joint\n       Authorization Board?\n\n9.1    Does the cloud service\n       have an authorization\n       from the FedRAMP\n       Joint Authorization           Yes           No           Yes           No\n       Board?\n\n9.2    Does the cloud service\n       have an Authority To\n       Operate from the              No           N/A            No          N/A\n       Agency?\n\n\n\n\n                                                    18\n\x0cFINDINGS\n\nBest Practices for Cloud Computing\n\n                In February 2012, the CIO Council and the CAO Council\n                jointly published a paper titled \xe2\x80\x9cCreating Effective Cloud\n                Computing Contracts for the Federal Government: Best\n                Practices for Acquiring IT as a Service.\xe2\x80\x9d The paper provides\n                Federal agencies more specific guidance in effectively\n                implementing the \xe2\x80\x9cCloud First\xe2\x80\x9d policy and moving forward\n                with the Federal Cloud Computing strategy by focusing on\n                ways to more effectively procure cloud services within\n                existing regulations and laws. The paper is intended to be\n                guidance developed from the best practices across\n                government and industry for agencies to use when entering\n                the procurement process.\n\n                The Agency entered into procurement actions for the\n                purchase of cloud computing services that did not follow the\n                identified best practices. These include:\n\n                \xe2\x80\xa2   Federal agencies need to know if a cloud service provider\n                    requires an end user to agree to Terms of Service in order\n                    to use the cloud service provider\xe2\x80\x99s services prior to\n                    signing a contract. Terms of Service restrict the ways\n                    Federal Agency consumers can use cloud service provider\n                    environments. If the Terms of Service are not directly\n                    within the contract but referenced within the contract,\n                    they should be negotiated and agreed upon prior to\n                    contract award. Two of the four cloud services tested\n                    contained Terms of Services, one of which had a separate\n                    agreement. The separate agreement, however, was not\n                    agreed upon until after the award of the contract.\n\n                    Additionally, the terms of service must address time\n                    requirements that a cloud service provider will need to\n                    follow to comply with Federal agency rules and\n                    regulations, including statutory requirements and\n                    associated deadlines. The contract documents for the\n                    four cloud services tested did not contain these\n                    requirements.\n\n                \xe2\x80\xa2   Federal agencies often require cloud service provider\n                    personnel to sign non-disclosure agreements when\n                    dealing with Federal data in order to ensure that cloud\n\n\n                                     19\n\x0c                     service provider personnel protect non-public information\n                     that is procurement-sensitive or affects pre-decisional\n                     policy or physical security. For the four cloud services\n                     tested, the Agency did not enter into non-disclosure\n                     agreements with the cloud service provider.\n\n                 \xe2\x80\xa2   Service level agreements define acceptable service levels\n                     to be provided by the cloud service provider to its\n                     customer in measurable terms. Federal agencies should\n                     ensure that cloud service provider performance is clearly\n                     specified in all service level agreements, and that all such\n                     agreements are fully incorporated, either by full text or by\n                     reference, into the cloud service provider contract. Two of\n                     the four cloud computing services did not have an\n                     executed service level agreement.\n\n                 \xe2\x80\xa2   Federal agencies should require cloud service providers to\n                     allow forensic investigations for both criminal and non-\n                     criminal purposes, and that investigations should be\n                     conducted without affecting data integrity and without\n                     interference from the cloud service providers.\n                     Additionally, Federal agencies should ensure that cloud\n                     services providers are only allowed to make changes\n                     related to the cloud environment under specific operating\n                     procedures and have procedures for electronic discovery\n                     when conducting criminal investigations.\n\n                     For the four cloud services tested, only Office 365\n                     contained all three best practices; Amazon Web Services\n                     contained language related to electronic discovery; and\n                     the other two cloud services did not contain any of the\n                     proposed language.\n\nRecommendation\n\n1. We recommend that the Chief Financial Officer establish procedures to\n   ensure that the appropriate CIO Council and CAO Council best practices\n   are incorporated into future procurements of cloud computing services.\n\nLimitations on Services\n\n                 The terms of services for a cloud service are determined by a\n                 legally binding agreement between the two parties contained\n                 in a service agreement and a service level agreement. The\n                 service level agreement states the technical performance\n\n\n                                      20\n\x0c                 promises made by a provider, including remedies for\n                 performance failures. NIST Special Publication 800-146,\n                 Cloud Computing Synopsis and Recommendations, identifies\n                 limitations that cloud service provider policies generally\n                 have, including scheduled service outages not counting as a\n                 failure to perform, and providers reserving the right to\n                 change the terms of the service agreement at any time, and\n                 to change pricing with limited advance notice. NIST\n                 recommends that if the terms of the default service\n                 agreement do not address the agency\xe2\x80\x99s needs, the agency\n                 should discuss modifications of the service agreement prior\n                 to use.\n\n                 The Agency entered into service level agreements for two of\n                 the four cloud services tested. The service level agreements\n                 do not address the limitations addressed by NIST, as\n                 addressed below:\n\n                 \xe2\x80\xa2   The service level agreement for Amazon Web Services does\n                     not address scheduled outages and the scheduling of\n                     those outages in advance; and\n\n                 \xe2\x80\xa2   The service level agreement for ServiceNow did not\n                     address that notice be provided for changes to the\n                     agreement.\n\nRecommendation\n\n2. We recommend that the Chief Financial Officer establish procedures to\n   address modifications to service level agreements when the agreements do\n   not meet the needs of the Agency, as identified by the Chief Information\n   Officer.\n\nFAR Clauses\n\n                 The FAR contains the following access-related clauses:\n\n                 \xe2\x80\xa2   52.203-13, Contractor Code of Business Ethics and\n                     Conduct, which states that the contractor\xe2\x80\x99s internal\n                     control system shall provide for full cooperation with any\n                     Government agencies responsible for audits,\n                     investigations, or corrective actions. Full cooperation is\n                     defined as \xe2\x80\x9cdisclosure to the Government of the\n                     information sufficient for law enforcement to identify the\n                     nature and extent of the offense and the individuals\n\n\n                                      21\n\x0c                     responsible for the conduct. It includes providing timely\n                     and complete response to Government auditors\xe2\x80\x99 and\n                     investigators\xe2\x80\x99 request for documents and access to\n                     employees with information.\xe2\x80\x9d\n\n                 \xe2\x80\xa2   52.215-2, Audit and Records\xe2\x80\x94Negotiation, which states\n                     that the Comptroller General, an appropriate Inspector\n                     General, or an authorized representative of either, shall\n                     have access to and the right to examine any of the\n                     Contractor\xe2\x80\x99s or any subcontractor\xe2\x80\x99s records that pertain\n                     to and involve transactions relating to this contract or a\n                     subcontract hereunder; and interview any officer or\n                     employee regarding such transactions.\n\n                 \xe2\x80\xa2   52.239-1, Privacy or Security Safeguards, which states\n                     that \xe2\x80\x9cTo the extent required to carry out a program of\n                     inspection to safeguard against threats and hazards to\n                     the security, integrity, and confidentiality of Government\n                     data, the Contractor shall afford the Government access\n                     to the Contractor\xe2\x80\x99s facilities, installations, technical\n                     capabilities, operations, documentation, records, and\n                     databases.\xe2\x80\x9d\n\n                 For the four cloud services tested, Amazon Web Services and\n                 ServiceNow contained the three FAR clauses. For the two\n                 remaining contracts, one had Clauses 52.203-13 and\n                 52.239-1, and the other did not contain any of the clauses.\n\nRecommendation\n\n3. We recommend that the Chief Financial Officer establish procedures to\n   ensure that all FAR clauses related to access to cloud systems are\n   incorporated into future procurements of cloud services.\n\nCompliance with FedRAMP\n\n                 FedRAMP is a Governmentwide program that provides a\n                 standardized approach to security assessment,\n                 authorization, and continuous monitoring for cloud products\n                 and services. The purpose of FedRAMP is to ensure that\n                 cloud based services used Governmentwide have adequate\n                 information security, eliminate duplication of effort and\n                 reduce risk management costs, and enable rapid and cost-\n                 effective procurement of information systems / services for\n                 Federal agencies. Agencies were required to have their cloud\n\n\n                                      22\n\x0c                  computing systems compliant with FedRAMP by June 2014.\n\n                  As of June 2014, two of the four cloud computing services\n                  tested were not compliant with FedRAMP. For the non-\n                  compliant services, ServiceNow was in the documentation\n                  stage of obtaining a Provisional Authorization by the Joint\n                  Authorization Board, and DiscoverText had not begun the\n                  process. We are not making a recommendation regarding\n                  this issue because it is being addressed at the\n                  Governmentwide level.\n\n                  Federal agencies are required by the Federal Information\n                  Security Management Act (FISMA) to individually accept risk\n                  and grant an authority to operate before placing any agency\n                  data into a system. Agencies can use the FedRAMP\n                  provisional authorizations to grant an authority to operate\n                  for cloud systems in accordance with FISMA. Authorities to\n                  operate have not been issued by the Chief Information\n                  Officer for the four cloud computing systems tested. The\n                  Chief Information Officer concurred with this finding and\n                  noted that while the cloud service providers do not have a\n                  discrete authority to operate, Office 365 and ServiceNow are\n                  initially identified and scheduled for assessment as part of\n                  the Agency\xe2\x80\x99s General Support System.\n\nRecommendation\n\n4. We recommend that the Chief Information Officer develop procedures to\n   ensure that Agency systems are granted an authority to operate prior to\n   placing Agency data into the system.\n\n\n\n\n                                      23\n\x0cAPPENDIX\n\x0cUNITED STATES GOVERNMENT\nNational Labor Relations Board\nOffice of the Chief Financial Officer\nMemorandum\n\n\n\n\n                                                   Date: September 8, 2014\n\nTo:    David P. Berry\n       Inspector General\n\nFrom: Ronald E. Crupi\n      Chief Financial Officer\n\n       Bryan Burnett\n       Chief Information Officer\n\n\nSubject: Response to Audit of the National Labor Relations Board Cloud Computing Report\nNo. OIG-AMR-74-XX-XXX\n\nAs noted in the Executive Summary of the above subject report, the Chief Financial Officer\n(CFO) and Chief Information Officer (CIO) concur with the Office of Inspector General\xe2\x80\x99s (OIG)\nfour recommendations and are committed to acting on them.\n\nWe appreciate the Inspector General\xe2\x80\x99s recognition of the applicable compliance with Cloud\nComputing requirements as we work within the Office of the Chief Financial Officer (OCFO),\nAcquisitions Management Branch (AMB), in partnership with the Office of the Chief\nInformation Officer (OCIO), to implement the Inspector General\xe2\x80\x99s recommendations.\n\nAMB has realigned its designated Contracting Officers to focus on the Information Technology\nrequirements to include cloud computing. Accordingly, the NLRB was the only Government\nAgency to have representatives from the Acquisition career field at the Federal Mobile & Cloud\nComputing Summit in June 2014. This forum recognized the need for specialization of\nInformation Technology and Cloud Computing in the Acquisition field. Further, the AMB is\nworking on an Acquisition Handbook which will codify the OIG\xe2\x80\x99s recommendations to ensure\ncompliance with all referenced Cloud Computing requirements.\n\nThe OCIO presently is developing procedures to ensure that Agency systems are granted an\nauthority to operate prior to placing Agency data into the system.\n\nIn this report, the OIG found that the Agency is utilizing cloud computing services. Encouraged\nby the Federal Government\xe2\x80\x99s Cloud First policy, the Agency has sought to take full advantage of\n\x0ccloud computing benefits to maximize capacity utilization, improve IT flexibility and\nresponsiveness, and minimize cost. Agency efforts contained in the OIG report include:\n\nx   The Agency was an early adopter of the ServiceNow cloud Information Technology Services\n    Management (ITSM) platform, which the Office of the CIO uses to be more transparent,\n    provide Agency staff with multiple ways to get quality support, and as the technology\n    enabler of its internal effectiveness initiatives.\n\nx   The Agency migrated its email repositories and services to Microsoft\xe2\x80\x99s cloud-based, software\n    as a service solution, Office 365. The Agency repurposed the nearly one million dollar\n    investment in its email infrastructure to extend the lifespan of its Next Generation Case\n    Management (NxGen) System on-premises infrastructure, and is now using the Office 365\n    platform to efficiently deliver administrative systems.\n\nx   The Agency utilized Amazon\xe2\x80\x99s Elastic Compute Cloud to:\n       o Reconstruct the NxGen case management development environment to support its\n          agile development process.\n       o Save approximately $500,000 over the next 6 years by hosting its own legacy\n          financial data rather than utilizing a shared services provider.\n\n\n\n\n                                                                                            Digitally signed by BRYAN BURNETT\n                      Digitally signed by Ronald Crupi                                      DN: c=US, o=U.S. Government, ou=National\n\n\nRonald Crupi          DN: cn=Ronald Crupi, o=National Labor Relations\n                      Board, ou=CFO, email=rcrupi@nlrb.gov, c=US\n                      Date: 2014.09.08 21:33:24 -04\'00\'\n                                                                                            Labor Relations Board, cn=BRYAN BURNETT,\n                                                                                            0.9.2342.19200300.100.1.1=63001000009719\n                                                                                            Date: 2014.09.08 19:12:01 -04\'00\'\n____________________________________                                    _______________________________\n\nRonald E. Crupi, Chief Financial Officer                                Bryan Burnett, Chief Information Officer\n\n\n\n\nCopy: Chairman\n      General Counsel\n      Deputy General Counsel\n\x0c'